Everyone's seen the subject lines in his or her inbox: "Chase Customer Service" or "EBay account suspension." The subject lines are meant to prompt you to action, using formal business language to get you to go to a website to confirm who you are, change your member settings, or for some other reason that involves your personal information. It may appear as correspondence from eBay, a credit card company, or even your bank.
But beware. These e-mails are not always as they appear, and taking action on them could cost you your identity.
Phishing for information
More and more frequently, these emails are phishing scams: e-mails characterized by the use of spam-like techniques to mass distribute fraudulent requests for information. The e-mails prompt unsuspecting users to go to a fraudulent websites to confirm personal information, update member settings, or something similar, in an effort to steal private information.
The Anti-Phishing Working Group, an industry association focused on monitoring and eliminating this form of identity theft, has received over 110,000 reports on phishing this year. A study by Gartner reports that from May 2004 to May 2005 about 1.2 million Americans were victims of phishing fraud, with a total loss of $929 million.
Defending yourself and your company against phishing scams requires that you and your employees recognize a few key traits these e-mails have in common, and set up safeguards to prevent falling victim.
First, phishing e-mails generally reveal a few tell-tales signs that they are not from a legitimate business's website, including:
- A large number of spelling errors,
- A salutation that addresses you as a "customer" or "member," not by your name,
- Links that are not the exact businesses' websites: google.xxxx.com, for example, and
- URLs that are only numbers after you click on a link, such as http://111.222.333.444, are likely fakes.
Second, an ounce of prevention can do a world of good when it comes to protecting your critical information. There are several ways you and your company can prevent falling victim:
- Never respond to e-mails requesting information or to verify information.
- Avoid filling in forms on websites when prompted to do so from an e-mail.
- Ignore e-mails with forms inside them.
- Use an e-mail program with robust spam blocking features to weed out phishing messages.
- If you believe a message may be legitimate, call up the company.
- Type in the company's homepage URL (obtained through a reputable search website) to verify problems.
- Have the latest security updates installed in your and your employees Web browsers.
- Employ optional browser plug-ins or toolbars to alert users that they are visiting a site reported to practice phishing.
The next threat
Phishing may be ubiquitous, but another scam, pharming, can do greater damage. It is similar to phishing, but rather than using some kind of e-mail lure, a hacker modifies a company's DNS software, so a user is directed to a copy of the website he or she is seeking. If pharming becomes ubiquitous, hundreds, even thousands, of users could give up personal information to criminals during routine of online-banking or similar actions.
Pharming and phishing share the same goal of redirecting an unsuspecting user to a fraudulent website, according to Joseph Steinberg, co-founder and CEO of Green Armor Solutions, a start-up selling visual cue software to help a user recognize an authentic site. Further, he adds, these techniques endanger not only financial institutions or hospitals, whose clients might have their identities stolen, but also any company with an internal online network of employees.
To protect businesses, their employees, and their clients from pharming attacks, Green Armor has developed a software that institutions use to help their websites' visitors determine that they are, in fact, at a legitimate website. Based on each different user's information, the software generates simple, unique visual signals, which fake sites cannot replicate, and which a user quickly comes to recognize as associated with the legitimate institution's website.
"Historically, end users have had to authenticate themselves, while websites were never forced to authenticate themselves to end-users," says Scott Chasin, CTO of Denver-based MX Logic, a provider of e-mail security solutions. Client-side solutions like Green Armor's are a step in the right direction. However, according to Chasin, more technology needs to be developed along these lines. Even the Secure Sockets Layer (SSL) certification developed by Netscape that tags a website and promises an encrypted transfer of data, is not foolproof, he adds.
Another layer of protection includes installing browser plug-ins that recognize fraudulent sites on individuals' machines. There are also browser plug-ins that inform users they've been directed to a site in, for example, Eastern Europe, even though they were initially surfing a U.S. site.
To prevent a pharmer from hacking into a domain name server (DNS), company's can install software that prevents or detects unauthorized changes. Additionally, according to Chasin, some institutions are turning to "multifactor authentication," which means requiring two or more elements to authenticate users. For example, a bank could require both a memorized password as well as a separate one coded on a physical token, like a card or keychain.
No single solution works all of the time, Chasin warns. Rather, he recommends what he calls "defensive depth," with multiple layers of defense along every node of information flow, from greater vigilance by end users to monitoring software on the server and password protection. "The more layers of defense you have, the more you can mitigate the risk," he says.